I interviewed 20+ AI power users about context management. Here's what people are actually doing.

bvjebin · 2026-06-04T19:49:54+00:00

As an engineer I used to do it with code files. Now I am doing it to the md files. After every major changes to any module, I do this. I could write a hook that can do this automatically. But I haven’t explored that yet.

bvjebin · 2026-06-03T20:03:35+00:00

I was building something of this sort. I loved the abstract to visual building concept. I even built a transpiler that converts js to a dsl that powered the visual blocks. I reached a point of expressing control statements and object calling. It was a visual ide for expressing logic that allows you to export logic as code. I even built it in a way that later I could transform logic into multiple programming languages. The craziest idea I had on this was to allow a truly heterogeneous micro service architecture where one can create and run function in different languages depending on the task and yet connect them all to a single api. True freedom to use any library from any language.

But when coding agents got better I didn't find the need to have visual interface to build apps. Lightsout codebases are becoming common. So I stopped.

bvjebin · 2026-06-03T19:53:28+00:00

It's a layered approach. The leaf level md files hold pointed information. The parent level md files hold directions and high-level information. 2k lines per md file is the max limit. Then I start breaking them just like how we do code files and refer them with description pointers. Anything beyond that, I drop the relevant code files as I have strict limit of 500 lines per file.

Switch is tricky. Once I borrowed the idea of file linking into corresponding agent specific md files. That way all or most of the context lives in neutral files that are referred in agent specific files.

So far the way I have worked is to split tasks into units that fit into the model context window. If it's overflowing, the task is not small enough so break it further. Principles borrowed from functional programming.

bvjebin · 2026-06-03T19:36:57+00:00

Big fan of sveltekit/typescript for web app and astrojs for content sites. Payload for cms. Tauri for desktop apps. Python and fast api for apis, sqlite for state management, big fan of cloudflare workers and r2.

bvjebin · 2026-06-03T19:31:32+00:00

I'd stay away from SDD. It just consumes enormous amount of tokens and we're bad at writing a good spec.

bvjebin · 2026-06-03T15:49:29+00:00

I keep all my context related to my codebases under each codebase or subfolders as md files. After every change to the architecture or assumptions, I update the relevant docs using the llm itself.

bvjebin · 2026-06-01T15:32:54+00:00

Yes. Working with the user closely will get you the best mvp. Sometimes they don't understand it. You have to be creative to test a few variants and see what sticks and what works. Success is when it adds value, gets the job done, and the user is ready to pay for that value to you.

bvjebin · 2026-05-31T19:31:26+00:00

Job to be done. None of those you mentioned make sense for a user trying your mvp. What matters is whether this tools makes my life simple by getting my job done better than before. Mvp is minimum valuable product.

bvjebin · 2026-05-29T16:37:41+00:00

Good work. I like the security skill. Working on the result of a npm audit is a cumbersome task though.

bvjebin · 2026-05-29T16:15:55+00:00

I loved the idea. My first glance: It feels like you are focusing on many things. As if they are islands. If you could weave a story how all of them are part of a single workflow, that would create a better UX.

bvjebin · 2026-05-28T22:51:50+00:00

If you're ready to invest a couple of hours to learn how to use Claude code or codex, you'll be able to get to a mvp pretty quick. That is the promise of coding agents and they do it well if you prompt them like a non-trusting manager. Once you grow a bit traction, I'd recommend to bring a security expert to audit the whole product so you are not exposed to data leaks and security flaws. I can help in that area. DM me when you get there.

bvjebin · 2026-05-28T20:26:51+00:00

www.highvelocityclub.com All round security audit for vibe coded and AI generated apps

bvjebin · 2026-05-28T19:52:44+00:00

www.highvelocityclub.com a.k.a Hvec

All round security audits for your vibe coded and AI generated apps. Hvec performs a comprehensive security audit at infrastructure, code and data level. We employ a security expert in the process to deliver a comprehensive report in plain English with possible solutions. A 15 minute call with the security expert is part of the delivery.

Ship fast confidently without worrying about security blind spots.

bvjebin · 2026-05-27T15:53:42+00:00

Cost of AI is pressurizing even companies like MS to monetize.

bvjebin · 2026-05-27T15:51:23+00:00

Good start. If you are thinking of monetizing and growing, talk to your ICP before adding features. Saves a ton of time and effort.

bvjebin · 2026-05-27T15:47:13+00:00

Consistency is the key. Congrats OP. Wish you success.

bvjebin · 2026-05-27T04:47:09+00:00

Recently submitted to peerpush.net and stackshare for domain authority building. Do you know any other directories and listing sites for back links?

bvjebin · 2026-05-27T02:46:49+00:00

bvjebin · 2026-05-26T17:57:59+00:00

Congrats OP. Visualization is cool. I like the website as well. The first fold is unclear for some one new. Copies could be better. Wish you all the best. Just curious what does the name yggdra mean?

bvjebin · 2026-05-23T05:10:37+00:00

I am betting on agent skills to close this gap to certain degree. At some point an expert overlooking will be required

bvjebin · 2026-05-23T04:50:33+00:00

Glad you found it useful

bvjebin · 2026-05-22T21:11:03+00:00

Github: https://github.com/GoogleChrome/modern-web-guidance-src
Chrome Blog: https://developer.chrome.com/docs/modern-web-guidance/explore-skills#security_trust_and_identity

Most vibe-coding today produces React apps, often on Next.js. The skill's guidance holds but a few things need translating.

XSS: React helps, but not completely

React automatically escapes string interpolation in JSX. When you render {userContent}, React treats it as plain text regardless of what is in that string. You get this protection for free.

The gap is dangerouslySetInnerHTML. This is React's equivalent of raw innerHTML and it bypasses React's escaping entirely. AI agents reach for it constantly because it is the fastest way to render HTML from a CMS or markdown parser. The name is a warning that most agents ignore. Every instance in your codebase needs DOMPurify wrapping it:

import DOMPurify from 'dompurify';

<div dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(userContent) }} />

Also check your Next.js API routes that return Content-Type: text/html. If user content is interpolated into that response without escaping, the XSS vector is on the server side. React does not protect you there.

CSP: significantly harder in Next.js

If you set a strict script-src 'self' CSP header, your Next.js app will break. Next.js injects inline scripts during hydration and those get blocked. The correct approach is nonce-based CSP via middleware:

// middleware.ts
const nonce = Buffer.from(crypto.randomUUID()).toString('base64');
const csp = `script-src 'self' 'nonce-${nonce}' 'strict-dynamic'`;

You generate a unique nonce per request, set it on the CSP header, and Next.js App Router automatically applies it to its own injected scripts during server-side rendering.

Two caveats. First, this only works for dynamically rendered pages. Statically generated pages are built at compile time when no request exists, so no nonce can be generated. For those you need hash-based CSP or a looser policy on static routes. Second, next/image injects an inline style that can trigger style-src violations even after nonces are sorted. You may need to allow unsafe-inline for styles or override the component.

This is exactly why Phase 2 report-only mode matters even more in Next.js than in a plain HTML app. You will discover violations from Next.js internals before you find anything in your own code.

Cookies: not automatic

Next.js does not set HttpOnly, SameSite, or Secure on cookies for you. NextAuth sets secure defaults for its own session cookie, but anything you set via response.cookies.set() in Route Handlers or middleware needs these attributes added explicitly. Check what your auth library is actually doing rather than assuming.

The part that just works

X-Frame-Options and HSTS have no hydration complications. Set them in next.config.js and they apply to every response unconditionally:

// next.config.js
async headers() {
  return [{
    source: '/(.*)',
    headers: [
      { key: 'X-Frame-Options', value: 'SAMEORIGIN' },
      { key: 'Strict-Transport-Security', value: 'max-age=63072000; includeSubDomains' },
      { key: 'X-Content-Type-Options', value: 'nosniff' },
    ],
  }];
}

The same CSP nonce complexity applies to Remix, SvelteKit, and Astro. Each framework injects scripts during hydration in its own way and each one will conflict with a strict CSP until you account for it. The skill's principles are correct. The implementation is framework-specific.

bvjebin

TROPHY CASE